12-16-2019 04:46 AM - edited 02-21-2020 09:49 PM
We currently operate a "Tunnel All" policy for vpn traffic due to conditional access of hosted applications (Traffic must come from the head Office IP).
What were finding with the increase in remote workers with fast home connections is there saturating the HQ bandwidth.
Is there a way we can rate limit the VPN users (AnyConnect IP pool - 10.1.0.0/24), only allowing them 40Mbps.
02-04-2022 07:53 AM - edited 02-04-2022 08:04 AM
Hello
According with this document, per tunnel QOS is supported only on FTD software :
But if you have a look to this document, it seems possible to apply a per flow policing on tunnel group.
It doesn't seem supported on SSL client tunnel :
https://tools.cisco.com/bugsearch/bug/CSCsl73211/?reffering_site=dumpcr
This other document seems to confirm that it is applied per flow :
"The criteria to define flow is the destination IP address. All traffic going to a unique IP destination address is considered a flow. Policy action is applied to each flow instead of the entire class of traffic. " :
As each Anyconnect client has its own IP address, it seems that downstream traffic from headend could be rate limited per client this way.
Note that it seems that there is limitation on tunnel with webvpn attributes as it does not support policing.So if it works, it would be only on IKEv2 client tunnel.
Moreover, policing is not supported on clientless VPN :
I did not try any of these configuration. Not sure it works.
Hope this helps
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide